Cyber Insurance Strategy Requires CISO-CFO Collaboration

The continually growing volume of cyberattacks and online threats is helping to make the purchase of cyber insurance a regular occurrence for many organizations. While insurance has typically been the domain of the organization's board of directors, in partnership with the CFO, the technical nature of cyber-risk means the CISO is increasingly being asked to be part of the conversation.

Indeed, cyber insurance has become the norm for many organizations. More than half of the respondents in Dark Reading's most recent Strategic Security Survey say their organizations have some form of cyber insurance coverage. While 29% say cyber insurance coverage is part of a broader business insurance policy, 28% say they have a policy specifically for cybersecurity incidents. Nearly half of the organizations (46%) say they have a policy that covers ransomware payments.

A cyber insurance policy helps organizations pay for at least some of the financial losses they may incur in the event of an attack or data breach, such as costs related to investigating and responding to the incident, remediation, crisis communications, ransom/extortion payments, legal liabilities, and loss of revenue. While insurance does not "eliminate the need for proactive and resilient cyber controls," it does offer a "safety net" for potential financial loss, according to a new "Perspectives on Security for the Board" report from Google Cloud's Office of the CISO. The goal of this report series is to empower boards to take a more active role overseeing the organization's cyber-risk.

"The financial and legal ramifications of cyber attacks demand meticulous insurance strategies, yet crafting them requires a deep understanding of the evolving risks," the report states, before recommending that boards facilitate cooperation between the security organization – with technical expertise – and the finance organization – with the focus on financial impact.

Collaborating on a Stronger Story

"How to talk about risk and how to manage and mitigate risks is now becoming much more important for the CISO organization to understand," says Monica Shokrai, head of business risk and insurance at Google Cloud, while noting that communicating risk upward is something the CFO has been "doing forever." Instead of trying to turn CISOs into "cyber CFOs," the two organizations should work together to develop a coherent and integrated strategy for the board, she says.

The finance organization is used to quantifying risk, deciding how much risk an organization has, and then optimizing an insurance program to decide how much risk to retain versus how much risk to transfer. Since the finance side of the house doesn't have the background in cyber-risk, they're less likely to get the model right. The security side of the house has that expertise and understanding of cyber-risk and technology. Cyber-risk quantification helps model potential losses.

"The CISO's technical expertise is invaluable, but true power comes from translating risks into their potential financial impact on the business," Google Cloud wrote in the report. "By collaborating with Finance, and utilizing public breach data alongside the company's own incident history, companies can develop a robust cyber risk model."

The board looks at the risks of the company, tries to determine how those risks affect the company's balance sheet, and then decides how much risk to transfer. Calculating the financial impact is part of the insurance strategy, and that is similar between cyber insurance and other types of insurance. Traditional insurance, such as auto liability or worker's compensation, is based on established case law, so the average board member knows what is and isn't covered. In contrast, cyber insurance is still figuring out exclusions — such as cyberwar, systemic risk, and generative artificial intelligence.

"What's still emerging about cyber insurance is that boards are starting to recognize the magnitude of the risk that they as an organization are being faced with," Shokrai says.

It is never too early for security and finance to collaborate on cyber-risk management as the finance team already has to think about what risks to accept and what risks to insure against.

"If you start with cyber-risk quantification, you at least have a benchmark through which you can adjust up and down over time and you can iterate on. It is expected that you will continue to adjust that model as you learn more," Shokrai says. "You might as well start that collaboration early and improve both teams in the process."